[DNSOP] Minutes from IETF 84 DNSOP Meeting
Stephen Morris <sa.morris7@googlemail.com> Thu, 09 August 2012 11:17 UTC
Return-Path: <sa.morris7@googlemail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 665AF21F86CA for <dnsop@ietfa.amsl.com>; Thu, 9 Aug 2012 04:17:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.669
X-Spam-Level:
X-Spam-Status: No, score=-102.669 tagged_above=-999 required=5 tests=[AWL=-0.930, BAYES_20=-0.74, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mNpeDMQr8afG for <dnsop@ietfa.amsl.com>; Thu, 9 Aug 2012 04:17:46 -0700 (PDT)
Received: from mail-ee0-f44.google.com (mail-ee0-f44.google.com [74.125.83.44]) by ietfa.amsl.com (Postfix) with ESMTP id 6ED3D21F86C9 for <dnsop@ietf.org>; Thu, 9 Aug 2012 04:17:46 -0700 (PDT)
Received: by eekb45 with SMTP id b45so109889eek.31 for <dnsop@ietf.org>; Thu, 09 Aug 2012 04:17:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=from:content-type:content-transfer-encoding:date:subject:to :message-id:mime-version:x-mailer; bh=q4+/CDI1wXeA1391gkB/fZQsGtm/4j4Og7zw1BIedYM=; b=x6NuGzu9THlpRrkWL08zBd4ydS0qvaY8FubUBjsLXYRzxCnkeA3vqlFxVIdFdIFIX/ NVgiw191x5yRkhdl9PAlaDMAlz+u7sMWIoNbv1ARAN5i0iWWpZS7XA0qPa9WhrGOyNcH iOPwnItNHgN+NvDefISedbpuxllPXGB3+zGYhj92bIiSDP5ZfE/fqUVlLBb1AXrzAUxl cKoKM+6DGtDLMq1NnZBu5vjLMmGbM7yeFKXHwsrEguLYnjdu8ol9eBHPfpOSxhUQcUC1 0MeMfbJfjQohd1+nAbo/ww9Go8tzYV2YKiwv7ZNTXcCzyq2Pu8L6rErg1m6f1aBo+hSw y91w==
Received: by 10.14.210.194 with SMTP id u42mr27185685eeo.11.1344511065642; Thu, 09 Aug 2012 04:17:45 -0700 (PDT)
Received: from [192.168.1.101] ([217.155.47.50]) by mx.google.com with ESMTPS id g46sm2609437eep.15.2012.08.09.04.17.43 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 09 Aug 2012 04:17:44 -0700 (PDT)
From: Stephen Morris <sa.morris7@googlemail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 09 Aug 2012 12:17:41 +0100
To: dnsop@ietf.org
Message-Id: <7C82E526-2A7D-466D-B2C1-49AB350FBCE7@googlemail.com>
Mime-Version: 1.0 (Apple Message framework v1084)
X-Mailer: Apple Mail (2.1084)
Subject: [DNSOP] Minutes from IETF 84 DNSOP Meeting
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Aug 2012 11:17:48 -0000
The minutes from the WG meeting last week in Vancouver are here for review; they have also been uploaded to the meeting materials page. Please advise the chairs of any errors or omissions. Stephen ==== WG: DNS Operations (dnsop) Meeting: IETF 84, Vancouver Location: Hyatt Regency Vancouver, Georgia B Date: Thursday, 02 August 2012 Time: 17:30 - 18:30 (UTC-07:00) Chairs: Peter Koch <pk@denic.de> Stephen Morris <stephen@isc.org> Jabber Log: <http://www.ietf.org/jabber/logs/dnsop/2012-08-03.html> (Times in brackets are times on the audio record: http://www.ietf.org/audio/ietf84/ietf84-georgiab-20120802-1730-pm3.mp3) 0) Introduction [0:00] <http://www.ietf.org/proceedings/84/slides/slides-84-dnsop-2.pdf> 1) Administrivia [0:40] Minute Taker: Alexander Mayerhofer Jabber Scribes: Andy Newton, Patrik Wallstrom 2) Status Update (drafts not mentioned in "Active Drafts") [3:20] draft-ietf-dnsop-respsize: This should go to the IESG really soon. It has already had several last calls, so another nits review will be done, then the proto write-up created and posted to the list for a week or two (instead of doing another last call). After this it will be sent to the AD. 3) Active Drafts 3.1) <draft-ietf-dnsop-rfc4641bis> [5:00] This is finally off the chairs' plate - there have been a couple of revisions since WG last call. It is currently awaiting AD evaluation and IETF last call (the chairs are expecting comments from broader community). Some typos have already been found, and these will be corrected after IETF last call. 3.2) <draft-ietf-dnsop-dnssec-dps-framework> [5:40] IETF last call finished on 17 July, and was discussed at IESG meeting on 18 July. There were three DISCUSSes: one concerned copyright permission and has been cleared. The second concerns communication of a change of DNSSEC policy (with a related comment about PKI comparison): the intention is to make some changes to clear this. The third comprises three questions about: agreements with relying parties, trust anchor distribution, and description of algorithm rollovers: it is hoped these can be cleared in discussion with the relevant AD. The chairs are in discussion with the editors on these and hope to clear them with the ADs. Significant changes will be posted to list: if no objections, a -09 version will be submitted. 3.3) Next steps in Key Timing (Stephen Morris) [8:00] <draft-ietf-dnsop-dnssec-key-timing-03.txt> <http://www.ietf.org/proceedings/84/slides/slides-84-dnsop-2.pdf> The document got resurrected after about a year. KSK timings (related to RFC 5011) were modified and a minor change made to the section on first keys in a zone. A number of other nits were corrected. In Quebec (IETF-81) there was a feeling that the document should be published. In light of the long delay between versions, and that the -bis version of Matthijs has found some favour on the list, is that still the feeling of the WG? About 15 people have read the document. Matthijs Mekking: Important to continue the work on the base document, but do that quickly. Don't want to wait another year. John Dickinson: As one of the authors of the original draft, please get it published. Andrew Sullivan: Remembers we said quick decision at last meeting. Ship it or kill it, but make a decision. Paul Hoffman: Kill it. Will be the wrong message to the community sending out two documents. Operators will implement this, and later be surprised by the change. Kill it and have the -bis document include everything. Matthijs Mekking: Yep, agree, same question again. Stephen Morris: Is the -bis document based on your experience of implementation? Matthijs Mekking: This document is not flexible enough, this is the experience, eg. when going from signed to unsigned. To sum up, yes. Andrew Sullivan: Don't personally care whether we ship it or not, but make a decision! People out there are waiting for information, and we will give out information that changes, but this is better than nothing. Bill Manning: Perfect is the enemy of the good. Ship it now, at least we have some information out. By the time -bis is ready, something will have changed. If not, kill it. Ship it, but do not stop work on the -bis. If we can get it out quickly, do it. Peter Koch: Heard interesting different things. Are there strong issues with the *current* document? No hands. Putting the question in another way: how many think it is ready for last call? About ten-ish. Who thinks it is not? No-one. Conclusion: WGLC will be issued soon. Question from Jabber: When issued? Definitely before Atlanta! 4) Other (non WG) Internet-Drafts 4.1) Omniscient AS112 Servers (Warren Kumari) [19:35] <draft-wkumari-dnsop-omniscient-as112-00.txt> <http://www.ietf.org/proceedings/84/slides/slides-84-dnsop-0.pdf> Warren Kumari described what AS112 is for - a distributed sink of Anycast servers to answer e.g. RFC 1918 space PTR queries. How will new space be added to AS112? Just send AS112 operators new zone file. However, the AS112 project is really a loose collaboration, many operators unknown. Some enterprises have local AS112 nodes not announced externally. Also cases where contact information is out of date. Omniscient AS112 servers - are authoritative for everything ("."), but know nothing. They comprise an empty zone with SOA and NS records shown. Will authoritatively answer "does not exist" for everything. To add new space to AS112, just delegate the space to them. Main question: should the server be authoritative for "." or ".arpa"? [27:43] Mark Andrews: Examples have AA flag set. Please re-check through recursive servers with local zones turned off - will not work. named does sanity checks on SOA record. Warren Kumari: Original propose was to synthesise answers on the file. Will recheck with BIND. George Michaelson: This is not the last AS112 draft, just the last draft about how to do it. Delegating and undelegating requires a formalism. This proposal makes a lot of sense. Peter Koch: Do you have an opinion on the "." SOA record? George Michelson: Am confused about what happens if someone is directed to one of these servers. Absolutely sure there are no side effects? Warren Kumari: Absolutely sure there are side effects. Bill Manning: Looks hauntingly familiar. It might also work if doing a wildcard in the existing root (laughter) Serious question: If you are authoritative for the root, two questions: how is this different from people running their own root, and are you going to sign it? Warren Kumari: Not going to sign it. For other question, not hugely different, but different motivation. Ondrej Sury: Different, because there are delegations to those servers. Not pretending you are root. Lars Johan Liman: If you are going to be authoritative for the root, why lie? Why not put the true root zone there? Warren Kumari: Because you are just trying to serve an NXDOMAIN. Lars Johan Liman: Problem is that NS records could be cached. Respond with the real root zone instead! Also, this plays into hands of people who want to fiddle with domain names, e.g. requests from law enforcement who want names removed: perfect infrastructure for it. Warren Kumari: Answer to second point is that if you can delegate to these, you can remove the zone. Questions: a) is it worh progressing, possibly synthesising responses b) adopt this document? Peter Koch: Significant issues raised, please continue the discussion, adoption would be premature. 4.2) Child-Parent DNSSEC Key Exchange (Paul Wouters) [38:00] <draft-wouters-dnsop-secure-update-use-cases-00.txt> <http://www.ietf.org/proceedings/84/slides/slides-84-dnsop-1.pdf> (Peter Koch: Introduction - Paul Wouters volunteered to write use cases following a couple of rounds on this and other mailing list where people came up with ideas for substituting/exectinging provisioning stream for key material.) Use cases. Can we use DNSSEC to solve problems we had before but could not address because we did not have authentication? This is not about replacing dynamic updates in any way. Have assumed that the target RRTYpes are DS/NS/glue. Trying to take into account various relationships between parent and child. Hope that we can parallelize use cases and specification at the same time. Peter Koch: How many read the draft? 10-15? Andrew Sullivan: Have read, appreciate the work, perfectly good as a starting point for WG. Support adopting it. Parallelizing the work (doing requirements and implementation) is a bad idea. We should try to get this done pretty quickly, would like to see the WG working on this. Mark Andrews: DNSSEC is a catalyst, definitely work we need to do. Johan Ihren: Have implemented this sort of thing before, and it works. Not clear this is a DNS issue: although data goes in-band, need triggering mechanism outside of DNS. Antoin Verschuren: Remember starting this, was enthusiastic back then. Needs and external authentication mechanism to bootstrap, therefore always two mechanisms in place - needs to be clear in the document. Question about adoption, especially by ICANN and registrars. Paul Wouters: Further down the tree there is no registry etc. involved, and we want to automate things there. Paul Hoffman: Johan - are you OK with limiting the use cases to *finding* the trigger in the DNS? If use case is everthing in DNS, is that OK? Johan Ihren: Seeing problems, but very much in favor of progressing this! Question of automating *lots* of delegations further down the tree - costs can be minimised. Paul Hoffman: Very much in favour of work being done. Patrik Wallstrom: We are so bound by policies, we cannot possibly bypass the registrars, cannot see how registrars will be involved in this WG. Registrars need encouragement to do it. Olafur Gudmunsson: Nothing to stop registrars vetting data. Patrik Wallstrom: Problem with separation of registries and registrant. Olafur Gudmunsson: But data is in the DNS, added by registrar, this is just another mechanism to passing it through. Johan Ihren: Nothing to prevent parent discovery, very difficult to work out how do that notification in-band. Peter Koch: Devoting time and energy of WG participants means there needs to be chance of deployment. Need to discuss this further on the list. Can we frame the problem such that any solution is used beyond "DNS geeks"? How big is the target audience? Andrew Sullivan: People who paid for me to come here want this, not only for registry/registrar operations. Peter Koch: Conclusion: Take this to list, please. Seriously. Have to continue framing discussion there and collect input, then make a determination - *before* Atlanta. Matthijs Mekking: If people in the room want to adopt the document, why do we have the question? Peter Koch: "Price Tag" is in the commitment for the document. Even though we adopt documents, we have a hard time getting input and quality reviews. Wes Hardaker: "I use the Internet" - What's frequently broken is the parent/child relationship, worse with DNSSEC. This will be a god-send in synchronizing the data! Promise to read and review the document. Problem is there and needs to be fixed. 6) A.O.B. DNS operational/counter data collection (Simon Perreault) [57:35] <draft-perreault-dnsop-stats-mib-01.txt> <http://www.ietf.org/proceedings/84/slides/slides-84-dnsop-4.pdf> DNS statistics collection: TLD operator who has third-party anycasts and wants per-node statistics. Proposed is MIBs - simple read-only counters based on BIND9 statistics (that's what's in the draft). Simple goal - expose usage statistics over SMTP - don't want to configure or control it. MIB was simple to write. John Dickinson: Never heard anyone say MIBs are easy to write. Are alternative ways, e.g. NETCONF, which has advantages such as role-based access control. Peter Koch: How many people have read this? Five-ish. Two questions: a) is the problem worth exploring and then b) are MIBs the right way? Recommend abstract the problem from the MIB solution. Lars Johan Liman: Idea of a DNS MIB is not new, it's been around at least once (or twice?). Compare with previous attempts? Should not preclude other access methods to access the data. 5) I/O with other WGs [1:04:35] Peter Koch: Please look at the other WGs eg. HOMENET. Actions ======= 1) [ALL] Respond to change suggestions for the DPS framework once they hit the list. IESG comments can be found at: <https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-dps-framework/ballot> 2) [Peter] NITS review and PROTO writeup for <draft-ietf-dnsop-respsize-14.txt> 3) [Peter] Issue WGLC for <draft-ietf-dnsop-dnssec-key-timing-03.txt> 4) [Chairs] Frame discussion around the child/parent interaction on mailing list 5) [Chairs] Stipulate discussion on the issue of stats collection (problem vs MIB or other solution) (Version: 2012-08-09 09:23)
- [DNSOP] Minutes from IETF 84 DNSOP Meeting Stephen Morris
- Re: [DNSOP] Minutes from IETF 84 DNSOP Meeting Matthijs Mekking